This next module talks about implementing risk management. That's part of the whole process. What are the activities that we need to do in order to implement risk management? There are basically seven major steps to find the process, the framework, identify internal and external environments, what context are we going to be doing the risk management program in, do gap analysis and then see what other organizational support is available. Risk management typically consist of setting up the scope, the boundaries, doing asset identification and valuation then doing an assessment of those assets with respect to risk, threats, and vulnerabilities, identifying what we're going to do to treat that risk. Realizing that we can't get it down to zero and that we have to accept the leftover, the residual risk, and then we need to communicate the information about what we've identified and what we've done to the stakeholders. If you look at this slide 24, you're going to see that we have risks scenarios, we have different risk response options, we have different risk response parameters, we come out with a risk response and then we prioritize that because management doesn't have an unlimited checkbook on the land battle money, and we will only be allowed to do certain things. We need to develop a systematic approach for how we do this. We start out by identifying and assessing the risk, putting together a management program or a management plan, we then go to management and say these are the ones that we wanted to do, management tells us what controls we put in and then we implement that risk management plan, and then we monitor those controls. Are they working? We feed that information along with the ones that we didn't address back into the process. It's iterative, we continue to do this. The risk management framework is going to reflect future state, where do we want to be? There are a number of standards that are out there that can be used. ISACA has one called CobiT. It's CobiT 5. The international community has a couple, ISO 31,000 and 31,010 risk management guidelines and then assessment techniques. NIST has 1,839. There's even an HB 158-2010, as well as the Information Security Management System, risk management standard, which is 20,005. In order to define an efficient framework, we have to understand the organization's background. Do they have an existing standard, maybe like the ISO 9,000 quality standard that they could pull experience from and use in putting together this risk management program, we do that so that we can understand the organizational objectives, the environment, which we're going to be setting those objectives, what the scope to criteria are for doing risk measurement. When we look at external environment, what are the external things that might affect the local business market, the competitive environment that's out there? Financial, political environment, laws, rules, regulations, social and cultural norms, and I'm always reminded when I talk about cultural norms and we talk about physical access control, that there are parts of the world where certain parts of the body could not be used for biometrics like facial recognition software. Who are the external stakeholders? What's the internal environment? What drives the business? What are the strengths and weaknesses, opportunities and threats or what we call SWOT analysis? Who are the internal stakeholders? What is their structure and their culture? What are the assets for this business function in terms of resource and what do they already have in place in terms of a risk management strategy? That SWOT analysis is actually very helpful because we look at strengths and we say, what are the internal strengths that we have? Where do they come from and how are they helpful? What are external origin, and how is that helpful? Those are our opportunities. On the harmful side, what do we have internally that's harmonious? It could be that you have weaknesses like untrained staff, and then from an external point of view, what are the threats? What's the context? What's the range of the organization? Are we covering all of the organization or just part of it? Who are responsible and what are their roles and responsibilities? What's the likelihood that an event, a hurricane, for example, is going to occur, and if it does, what would be the impact to the business? What's the organization's risk appetite? How much risk are they willing to accept? What's risk tolerance? How much, what I call wiggle room? For example, if you were to say their risk tolerance is a million dollars, that would be their risk appetite. But then risk tolerance might be well, I could accept 1,500,000 or 1,200,000. It's that wiggle room that little bit of extra or maybe not quite a million dollars. Part of what we have to do is gap analysis. Where am I and where do I want to be? Are we making progress in getting to that future state? What we defined with key goal indicators as where we want to be? Or do we go for other support for this risk management process? Good practices, best practices, PCIDSS, getting together with other networking roundtables, listening to the news, going to class and being trained on security, monitoring the vulnerability alerting services like US-CERT or the Center for Internet Security. At the end of this module, what I would like for you to do is just to take a moment and name the four different risk treatment options, and then just give me an idea of how you might justify using each one of those risk treatment options.
